[edk2-devel] [PATCH v1 4/6] UefiPayloadPkg: Add secure boot configurations
Subash Lakkimsetti
subash.lakkimsetti at intel.com
Wed Mar 22 05:58:44 UTC 2023
From: Subash Lakkimsetti <subash.lakkimsetti at intel.com>
Add the required modules for secure boot in
UefiPayloadPkg. SECURE_BOOT_ENABLE flag added to control
the secure boot feature. Requires SMM_SUPPORT and
flash to be SPI for the secure boot to function.
Cc: Guo Dong <guo.dong at intel.com>
Cc: Ray Ni <ray.ni at intel.com>
Cc: Sean Rhodes <sean at starlabs.systems>
Cc: James Lu <james.lu at intel.com>
Cc: Gua Guo <gua.guo at intel.com>
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti at intel.com>
---
UefiPayloadPkg/UefiPayloadPkg.dsc | 37 ++++++++++++++++++++++++++++---
UefiPayloadPkg/UefiPayloadPkg.fdf | 4 ++++
2 files changed, 38 insertions(+), 3 deletions(-)
diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc
index 2f5c70ec9c..f31e5aac16 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkg.dsc
@@ -45,6 +45,8 @@
DEFINE BOOTSPLASH_IMAGE = FALSE
DEFINE NVME_ENABLE = TRUE
+ DEFINE SECURE_BOOT_ENABLE = FALSE
+
#
# NULL: NullMemoryTestDxe
# GENERIC: GenericMemoryTestDxe
@@ -287,7 +289,14 @@
DebugLib|MdeModulePkg/Library/PeiDxeDebugLibReportStatusCode/PeiDxeDebugLibReportStatusCode.inf
LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf
+!if $(SECURE_BOOT_ENABLE)
+ AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+ PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
+ SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
+!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
+!endif
!if $(VARIABLE_SUPPORT) == "EMU"
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
!elseif $(VARIABLE_SUPPORT) == "SPI"
@@ -353,6 +362,9 @@
!if $(PERFORMANCE_MEASUREMENT_ENABLE)
PerformanceLib|MdeModulePkg/Library/DxePerformanceLib/DxePerformanceLib.inf
!endif
+!if $(VARIABLE_SUPPORT) == "SPI"
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+!endif
[LibraryClasses.common.UEFI_DRIVER,LibraryClasses.common.UEFI_APPLICATION]
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -469,6 +481,12 @@
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
!endif
+!if $(SECURE_BOOT_ENABLE)
+ # override the default values from SecurityPkg to ensure images from all sources are verified in secure boot
+ gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04
+ gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04
+!endif
[PcdsPatchableInModule.X64]
!if $(NETWORK_DRIVER_ENABLE) == TRUE
@@ -629,9 +647,7 @@
#
# Components that produce the architectural protocols
#
-!if $(SECURITY_STUB_ENABLE) == TRUE
- MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
-!endif
+
UefiCpuPkg/CpuDxe/CpuDxe.inf
MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
!if $(BOOTSPLASH_IMAGE)
@@ -655,6 +671,17 @@
MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
!if $(DISABLE_RESET_SYSTEM) == FALSE
MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf
+!endif
+ #
+ # Components that produce the architectural protocols
+ #
+!if $(SECURITY_STUB_ENABLE) == TRUE
+ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+ <LibraryClasses>
+!if $(SECURE_BOOT_ENABLE)
+ NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!endif
+ }
!endif
PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
!if $(EMU_VARIABLE_ENABLE) == TRUE
@@ -811,6 +838,10 @@
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
!endif
+!if $(SECURE_BOOT_ENABLE)
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
#
# Misc
#
diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf
index ee7d718b3f..b52e6c75a5 100644
--- a/UefiPayloadPkg/UefiPayloadPkg.fdf
+++ b/UefiPayloadPkg/UefiPayloadPkg.fdf
@@ -172,6 +172,10 @@ INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
!endif
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
!if $(MEMORY_TEST) == "GENERIC"
--
2.39.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#101581): https://edk2.groups.io/g/devel/message/101581
Mute This Topic: https://groups.io/mt/97777997/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list